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ABSTRACT 

We consider the problems of secret sharing and multiparty 
computation, assuming that agents prefer to get the secret 
(resp., function value) to not getting it, and secondarily, pre- 
fer that as few as possible of the other agents get it. We show 
that, under these assumptions, neither secret sharing nor 
multiparty function computation is possible using a mech- 
anism that has a fixed running time. However, we show 
that both are possible using randomized mechanisms with 
constant expected running time. 

Categories and Subject Descriptors 

F.l.l [Computation by Abstract Devices]: Models of 
Computation; F.m [Theory of Computation, Miscella- 
neous] 

General Terms 

Economics, Theory 

Keywords 

Game Theory, secret sharing, multiparty computation, iter- 
ated deletion of weakly dominated strategies, non-cooperative 
computing 

1. INTRODUCTION 

Secret sharing is one of the main building blocks in the 
modern cryptographic literature. Shamir's secret-sharing 
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scheme [18] allows someone to share a secret s (a natural 
number) among n other agents, so that any m of them may 
reconstruct it. The idea is simple: agent 0, who wants to 
share the secret, chooses an m — 1 degree polynomial / such 
that /(O) = s, and tells agent i f{i), for i = 1, . . . ,n; f{i) is 
agent i's "share" of the secret. Any m of agents 1, . . . ,n can 
recover the secret by reconstructing the polynomial (using 
Lagrange interpolation). However, any subset of size less 
than m has no idea what the secret is. 

The story underlying this protocol is that, of the n agents, 
at most n — m are "bad" . While the bad agents might not 
cooperate, the good agents will follow the protocol and pool 
their shares of the secret. The protocol guarantees that the 
bad agents cannot stop the good agents from reconstructing 
the secret. While for some applications it makes sense to 
consider "good" agents and "bad" agents, for other appli- 
cations it may make more sense to view the agents, not as 
good or bad, but as rational individuals trying to maximize 
their own utility. The agents have certain preferences over 
outcomes and can be expected to follow the protocol if and 
only if doing so increases their expected utility. 

As we show, if we make rather minimal assumptions about 
the preferences of the agents, and further assume that the 
way agents pool their shares of the secret is by (simultane- 
ously) broadcasting a message with their share, then there 
is a problem with Shamir's secret-sharing scheme: rational 
agents will simply not broadcast their shares. Suppose that 
each of the agents would prefer getting the secret to not 
getting it; a secondary preference is that the fewer of the 
other agents that get it, the better. It is then not hard 
to see that no agent has any incentive to broadcast his or 
her share of the secret. Consider agent I's situation: either 
m — 1 other agents broadcast their share, or they do not. If 
they do, then agent 1 can reconstruct the secret; if not, she 
cannot. Whether or not she sends her share does not affect 
whether others send theirs (since all the broadcasts are sup- 
posed to happen simultaneously). Moreover, if only m — 1 
other agents broadcast their shares, then sending her share 
will enable others to figure out the secret. So if she does not 
send her share in this circumstance, then she will be able 
to figure out the secret (her share combined with the m — 1 
others will suffice), while no one who sent their share will. 
Thus, in game-theoretic terminology, not sending her share 
■weakly dominates sending her share. Intuitively, there is no 
good reason for her to send her share. Thus, rational agents 
running Shamir's protocol will not send any messages. 

Our first result shows that this problem is not confined 



to Shamir's protocol. Roughly speaking, wc show that, 
for any mechanism^ for sharcd-sccrct reconstruction with 
a commonly known upper bound on the running time, re- 
peatedly deleting all weakly-dominated strategies results in 
a strategy that is equivalent to each agent doing nothing. 
Roughly speaking, we argue that no agents will send a mes- 
sage in the last round, since they have no incentive to do so. 
Then wo proceed by backward induction to show that no 
agents will send a message k rounds before the end, for each 
k. (The actual backward induction process is more subtle, 
since we have to argue that, at each step in the deletion 
process, enough strategies have not been deleted to show 
that a strategy wc would like to delete is in fact dominated 
by another strategy.) Readers familiar with repeated pris- 
oners' dilemma will recognize that the argument is similar 
in spirit to the argument that shows that rational agents 
will always defect in repeated prisoners' dilemma where the 
number of repetitions is commonly known. In contrast to 
this impossibility result, we show that there is a random- 
ized secret-sharing mechanism for rational agents, where the 
recommended strategy is a Nash equilibrium that survives 
iterated deletion of weakly-dominated strategies. 

We next consider multiparty computation. In the trar- 
ditional multiparty computation problem, there is a set of 
participants, each of whom has a secret input. The aim of 
the protocol is to compute some function of these inputs 
without revealing any information other than the function's 
output, just as if a trusted party had performed the com- 
putations on the agents' behalf. For example, the secrets 
could be each person's net worth and the function would 
return who is richest. The protocol should compute this 
without revealing any other information about the partici- 
pants' wealth. (This example is known as the millionaire's 
problem, and was first discussed by Yao [20].) Again, it is 
assumed that some of the parties may be "bad" , usually less 
than 1/3 or 1/2 of the total participants, depending on as- 
sumptions [1, 5, 6, 12, 13, 20]. Everyone else is assumed to 
be good and to execute the protocol exactly as instructed. 

As in the case of secret sharing, we would like to consider 
what happens if the parties are all trying to maximize their 
utility, rather than being "bad" and "good". A number of 
new subtleties arise in multiparty computation. As is well 
known [12, Section 7.2.3], there is no way to force parties 
to participate in a protocol. We deal with this problem 
by assuming that the parties' utilities are such that it is in 
their interest to participate if the protocol is run correctly. 
A more serious problem is that there is no way to force a 
party to the protocol to use their "true" input. A party can 
correctly run the protocol using an arbitrary input, which 
may not necessarily be the same as its true input. For ex- 
ample, suppose that each agent has a private bit and the 
goal is to compute the exclusive or of the bits. If agent 
1 lies about her bit and everyone else tells the truth, then 
agent 1 will be able to compute the true exclusive or from 
the information provided by the trusted party, while no one 
else will. In some cases, if there is a trusted party, it may 
make sense to assume that everyone will truthfully reveal 
private information. For example, suppose that there is a 
vote, where the candidate with the most votes wins. In this 
case, almost by definition, what someone says her vote is 
is her actual vote. By way of contrast, consider a senator 

A mechanism can be thought of as a recommended protocol 
for agents to follow, from which they may defect. 



trying to determine whether a bill will pass by asking other 
senators how they intend to vote. Then there clearly may 
be a difference between how senators say they will vote and 
how they actually vote. 

Shoham and Tennenholtz [19] characterize which Boolean 
functions can be computed by rational agents with a trusted 
party. In their model, each agent has a secret input, and 
everyone is trying to compute some function of the inputs. 
There is a trusted party who waits to be told each player's 
input, then computes the value of the function and tells 
all players. Every agent's first priority is to learn the true 
value of the function; the second priority is to prevent the 
others from doing so. Agents may refuse to participate, or 
they may lie to the trusted party about their value. They 
call functions for which it is an equilibrium to tell the truth 
non-cooperatively computable (NCC). 

Our interest here is in which functions can be computed 
without a trusted party. We show that there is no mecha- 
nism with a commonly-known upper bound on running time 
for the multiparty computation of any nonconstant function. 
This result is of particular interest since all the standard 
multiparty computation protocols do have a commonly-known 
upper bound on running time [1, 5, 6, 12, 13, 20]. The re- 
sult also applies to protocols for the fair exchange of secrets, 
which is a particularly appropriate case for assuming the 
parties are both selfish. Again all the protocols we could find 
have a commonly-known upper bound on the running time 
[2, 3, 7, 8, 9, 14]. As in the case of secret sharing, we also 
have a positive result for multiparty computation. There 
are multiparty computation protocols (e.g., [13]) that use 
secret sharing as a building block. By essentially replacing 
their use of deterministic secret-sharing by our randomized 
secret-sharing protocol, we show that for all NCC functions, 
we can find a multiparty computation mechanism where the 
recommended strategy is a Nash equilibrium that survives 
iterated deletion of weakly-dominated strategies. These re- 
sults can be viewed as steps in the program advocated in [11] 
of unifying the strategic model and computational model in 
distributed algorithmic mechanism design. Our work is re- 
lated to [15], but uses a different solution concept. 

The rest of this paper is organized as follows. In Section 2 
we give the relevant background on Nash equilibrium, iter- 
ated deletion of weakly dominated strategies, and mecha- 
nisms. In Section 3 we consider secret sharing, sketch the 
proof of the impossibility result, and give the randomized 
secret-sharing mechanism. In Section 4, we consider mul- 
tiparty computation. We conclude in Section 5 with some 
open problems. 

2. NASH EQUILIBRIUM, ITERATED DELE- 
TION, AND MECHANISMS 

Wc adapt the standard definition of game trees from the 
game theory literature slightly for our purposes. A game F 
for n players is described by a (possibly infinite) forest of 
nodes. Intuitively, the root nodes of the forest describe the 
possible initial situations in the game, and the later nodes 
describe the results of the players' moves. We assume that 
there is a probability distribution over the root nodes; this 
can be thought of as a distribution over possible initial sit- 
uations. We assume that at each step, a player receives all 
the messages that were sent to it by other players at the 
previous step, performs some computation, then sends some 



messages (possibly none). Thus, we are implicitly assum- 
ing that the system is synchronous (players know the time 
and must decide what messages to send in each round before 
receiving any messages sent to them in that round) , commu- 
nication is guaranteed, and messages take exactly one round 
to arrive. These assumptions arc critical to the correctness 
of the algorithms we present; we believe that rational secret 
sharing and multiparty computation arc impossible in an 
asynchronous setting, or a setting where there is no upper 
bound on message delivery time. At each node, each player 
has a local state that describes its history, that is, the se- 
quence of computations performed, messages sent, and mes- 
sages received, and when each of those events happened and 
encodes its utility function. Associated with each run (i.e., 
path in the forest that starts at a root and is cither infinite 
or ends in a leaf) is a tuple {ui, . . . , w„) of real- valued utili- 
ties; intuitively, Ui is player i's utility if that path is played. 
Typically utilities are associated with leaves of game trees. 
For finite trees, we can identify the utility of a run with the 
utility of its leaf. Note that we need to consider infinite runs 
since a randomized mechanism may not terminate. 

Although it is standard in game theory to assume that ex- 
actly one player moves at each node, we implicitly assume 
that at each step all the players move. In game theory, for 
each player i, the nodes are partitioned into information 
sets. The nodes in an information set of player i are, intu- 
itively, nodes that player i cannot tell apart. Although we 
do not explicitly use information sets here, they are easy to 
define: player i's information set at a node v consists of all 
the nodes v' where she has the same local state. With this 
choice of information sets, it follows that each player i has 
perfect recall, since she remembers all her previous informa- 
tion sots and her actions. 

A strategy or protocol for player i is a (possibly random- 
ized) function from player i's local states to actions. (In 
the game theory literature, a strategy is a function from 
information sets to actions. Since wo are identifying local 
states with information sets, our usage of the term strategy 
is equivalent to the standard game theory usage.) A joint 
strategy a = (cti, . . . , cr„) is a tuple of strategies, one for each 
player. Note that a joint strategy determines a distribution 
over runs, which in turn determines an expected utility for 
each player. Let Ui{a) denote player i's expected utility if 
a is played. 

We use the notation a-i to denote a tuple consisting of 
each player's strategy in a other than player i's. We then 
sometimes abuse notation slightly and write {a-i,ai) for a. 
A joint strategy is a Nash equilibrium if no player has 
any incentive to do anything different, given what the other 
players arc doing. More formally, a is a Nash equilibrium if, 
for all players i and strategies al of player i, Ui{a-i,ai) > 
Ui{a-i,al). 

Although Nash equilibrium is a useful concept, there are 
many Nash equilibria that, in some sense, are unreasonable. 
As a consequence, many refinements of Nash equilibrium 
have been considered in the game theory literature; these arc 
attempts to identify the "good" Nash equilibria of a game 
(see, e.g., [17]). We focus here on one particular refinement 
of Nash equilibrium that is determined by iterated deletion 
of weakly-dominated strategies. Intuitively, we do not want 
a Nash equilibrium where some player uses a strategy that is 
weakly dominated. This intuition is well illustrated with m 
out of n secret sharing, with m < n. It is a Nash equilibrium 



for each player to send its share. Nevertheless, although a 
player does not do better by not sending her share if all 
other players send their share (since everyone will still know 
the secret), a player does no worse by not sending her share, 
and there are situations where she might do better. 

Formally, if Sj is a set of strategies for player j, j = 
1, . . . ,rt, we say that a strategy a £ Si is weakly dominated 
by r G iSi with respect to S-i if, for some strategy ff-i G 
S-i, we have Ui{a-i,a) < Ui{a-i,T) and, for all strategies 
€ S-i, we have Ui{a'_i,a) < Ui{a'_i,T). Thus, if a is 
weaJtly dominated by r with respect to S-i then player i 
should intuitively always prefer r to cr, since i always does 
at least as well with r as with a, and sometimes does better 
(given that we restrict to strategies in S-i). Strategy a £ Si 
is weakly dominated with respect to iSi x ■■■ x <Sn if there is 
some strategy t € Si that weakly dominates a with respect 
to S-i. 

Let DOMi{S\ X . . .xS„) consist of all strategies for player 
i that are weakly dominated with respect to >Si x . . . x iS„. 
Given a game F, let Sf consist of all strategies for player 
i in F. Assume that we have defined Si, for i — 1, . . . ,n, 
where Si consists of those strategies for player i that survive 
k rounds of iterated deletion. Let 5^+^ = S^ - DOMi{S^ x 
. . . X S^). Let 5r = DkS^ Thus, 5^ consists of all those 
strategies for i that survive (an arbitrary rnimbcr of rounds 
of) iterated deletion of weakly-dominated strategies. 

Note that we are requiring that all weakly-dominated strate- 
gies are deleted at each step. If we allow an arbitrary subset 
of weakly-dominated strategies to be deleted at each step, 
then which strategies survive iterated deletion is quite sen- 
sitive to exactly which strategies are deleted at each step. 
Deleting all possible strategies at each step is not only the 
most natural approach, but the only one consistent with the 
intuitions underlying iterated deletion [4]. 

We take a mechanism to be a pair (F, a) consisting of 
a game and a joint strategy for that game. Intuitively, a 
mechanism designer designs the game F and recommends 
that player i follow Ui in that game. The expectation is 
that a "good" outcome will arise if all the players play the 
recommended strategy in the game. Designing a mecha- 
nism essentially amounts to designing a protocol; the rec- 
ommended strategy is the protocol, and the game is defined 
by all possible deviations from the protocol. (F, a) is a prac- 
tical mechanism if <? is a Nash equilibrium of the game F that 
survives iterated deletion of weakly-dominated strategies. 

3. SECRET SHARING 

In this section, we prove that there is no practical mecha- 
nism for secret sharing with a commonly-known bound on its 
running time, provided we make some reasonable assump- 
tions about the preferences of players, and then show that, 

under the same assumptions, there is a randomized practi- 
cal mechanism for secret sharing that has constant expected 
running time. 

3.1 The Impossibility Result 

In this section, we assume for simplicity that there is a 
share "issuer" that can issue secret shares that are atomic 
and cannot be subdivided. The issuer authenticates the 
shares, so a player cannot substitute a false share for its 
true one. We assume that the utility of a run of a mecha- 
nism depends only on which players can compute the secret. 
Formally, given a run r in the game tree, let info{r) be a tu- 



pie (s(), . . . , s„), where Si is 1 if player i learns the secret 
in r, and is otherwise; let info^{r) = Si. The following 
assumption says that player i's utility depends just on the 
information that each of the players get: 

Ul. Ui{r) = Ui{r') if info{r) = info{r'). 

The atomicity assumption implicit in Ul is dropped in Sec- 
tion 4.1, where the utility of a run is allowed to depend on 

whatever partial information the players have. Note that 
even in this section we allow the issuer to issue a sequence 
of shares. That is, player i receives shares hii,...,hiN, 
and if i has m of the shares of the form hjis/i for some 
N' € {1, . . . , TV}, then i can compute the secret. If, for 
all iV' € {1, . . . , N}, i has fewer than m shares of this form, 
then i cannot compute the secret. 

The next two requirements encode the assumption that 
each player prefers getting the secret to not getting it, and 
prefers that fewer of the others get it. 

U2. If m/Oj(r) = 1 and m/Oj(r') = 0, then Ui{r) > Ui{r'). 

U3. If infOi{r) = infOi{r'), infOj{r) < mfoj{r') for all j ^ i, 
and there is some j such that mfOj{r) < infOj{r'), then 

Suppose that in run r the players in P learn the secret, 
while in run r' the players in P' learn the secret, where 
either i e P D P' oi i ^ P LI P' . While it follows from 
U3 that Ui{r) > Ui{r') if P C P', we maJte no assumptions 
about the relative utility to i of r and r' if |P| > |P'|. It 
could be, for example, that there is some particular player j 
such that i particularly does not want j to learn the secret. 

Theorem 3.1. // players' utilities satisfy Ul U3, then 
there is no practical mechanism {T,a*) for m out of n se- 
cret sharing such that T is finite and, using a* , some player 
learns the secret. 

The basic idea of the proof is just the backward induc- 
tion suggested in the introduction. Given a mechanism 
M = (r, a*) for m out of n secret sharing, say that a strat- 
egy (Tj for player i reveals useful information at a node v in 
the game tree for T if (a) v is reachable with Ci (that is, there 
is some strategy a_i for the other players such that (a-i, a-i) 
reaches v with positive probability), and (b) according to 
strategy at, at v, with positive probability player i sends 
some other player j such that i does not know j already has 
m shares a share of the secret that i does not know that j 
already has. Note that here and elsewhere, when describing 
the strategies, we often use phrases such as "player t knows 
P" for some proposition P. Player i knows P at a node v 
in a game tree if at all nodes v' in the game tree where i 
has the same local state, P is true. (This usage is consistent 
with the standard usage of knowledge in distributed systems 
[10].) Typically, these statements about knowledge reduce 
to concrete statements about messages being sent and re- 
ceived. For example, i ^ j knows that j has k's share of the 
secret if and only if 

• j = k, or 

• i has sent k's share to j, or 

• i has received k's share from j, or 



• i has received a message containing k's share signed 
with j's unforgeable signature. 

With regard to the last point, note that we allow the possi- 
bility of protocols that make use of unforgeable signatures. 
(It would actually considerably improve the argument if we 
did not allow them.) Given a node v in the game tree of 
r, define round(v) = /i if there is a path of length h from v 
to a leaf in the game tree and there are no paths of length 
h + 1 from V to & leaf in the game tree. Thus, round(i;) = 
if w is a leaf, and round (u) = oo if there is an infinite path 
starting at v. 

Let Bi consist of all strategies for player i in game F that 
reveal useful information at a node v such that round (ti) = 
h. (Note that if F has no finite paths, then Bi = 0.) RecaU 
from Section 2 that Si' consists of the strategies for player i 
that survive h rounds of iterated deletion (so that Sf consists 
of all strategies for player i). Let TZ^i = <Sf , and let TZi = 
TZl — u'l^^{Bi ). The backward induction argument would 
suggest that, if the game tree for F is finite, then Si = 
TZi - That is, the strategies that survive h rounds of iterated 
deletion in finite games arc precisely those in which no useful 
information is revealed in the last h rounds. While this is 
essentially true, it is not as obvious as it might first appear. 

For one thing, while it is easy to see that all strategies in 
B} are weakly dominated — i cannot be better off by reveal- 
ing information in the last round — these are not the only 
weakly-dominated strategies. Characterizing the weakly- 
dominated strategies is nontrivial. Even ignoring this prob- 
lem, consider how the argument that all strategies in are 
weakly dominated with respect to the strategies that remain 
after h rounds of iterated deletion might go. Let ai £ Bi, 
so that, with positive probability, i reaches a node u in F 
that is no more than h rounds from the end of the game 
where i reveals useful information. Since ai has not been 
deleted earlier, we would expect that i does not reveal use- 
ful information at later rounds, nor do any of the undeleted 
strategies for the other players. We would further expect 
that ai would be weakly dominated by the strategy a'i that 
is identical to ai except that at the node v and all nodes be- 
low V, according to a'i, i sends no message (and thus reveals 
no useful information). It is easy to see that i is no worse 
off using a'i than ai — there is no advantage to i in revealing 
useful information when no other player will reveal useful 
information as a result of getting i's information. However, 
to show that a'i weakly dominates ai, we must show that a'i 
is not itself deleted earlier, and that there is some strategy 
a-i for the other players that was not deleted earlier such 
that Ui{ai,a-i) < Ui{a'i,a-i). Intuitively, a-i should be 
such that m — 2 other players send their shares at the same 
time as i, so that with i's share, everyone can figure out the 
secret but without it, they cannot. While this intuition is in- 
deed correct, showing that all the relevant strategies survive 
h rounds of iterated deletion turns out to be surprisingly 
difficult. In fact, it seems that we need an almost complete 
characterization of which strategies are deleted and when 
they are deleted in order to prove the result. We now pro- 
vide that characterization. 

Besides "player i knows P" , the strategy descriptions in- 
volve phrases such as "player i considers P possible" , "player 
i tells j that he knows m shares" , "player i can prove to j 
that he (player i) knows m shares" , and "player i can prove 
to j that k knows m shares" . Possibility is the dual of knowl- 
edge, so that player i considers P possible if player i does 



not know -iP. Player i tells j P or proves P to j at node 
if i sends j messages that guarantee that, at the node after 
V, j knows P. For example, player i can prove to j that k 
knows m shares if i can send to j messages signed with fe's 
unforgeable signature containing m — 1 shares other than fe's 
share. 

Consider the following families of strategies for player i. 
Intuitively, these are families of strategies that are deleted in 
the iterated deletion procedure. To simplify the description 
of these strategies, we write "[. . . ]" as an abbreviation of 
"there is a strategy for the other players such that a node 
V is reached with positive probability and, at i),". We also 
assume for ease of exposition that secrets are shared just 
once. This is relevant because in the mechanism we present 
in Section 3.2, secrets may be shared multiple times. If 
we consider a sequence of secret sharings, then rather than 
saying something like "player i does not know that player j 
has m — 1 shares" , we would have to say "player i does not 
know that player j has m — 1 shares of a particular sharing 
of the secret" . 

• Let consist of all strategies for player i such that 
[. . . ] i has m shares, i does not know that all the other 
players have all m shares, and, with positive probabil- 
ity, i sends each of the other players enough shares so 
that, after sending, i will know that they all have m 
shares. (Intuitively, if i already knows the secret, there 
is no advantage in i making sure that everyone knows 
the secret.) 

• If m = n, let (-4^)' consist of all strategies for player 
i such that [. . . ] i has all m shares and, with posi- 
tive probability, i sends out its share to some player, 

although i has never previously sent out its share to 
any player; if m 7^ n, then (.4^)' — 0. (Intuitively, if i 
knows the secret, and it has information — namely, its 
own share — which it has not revealed that is critical 
to everyone else learning the secret, then i should not 
send out this information. Note that i's share is not 
critical to others learning the secret if m ^ n, so this 
condition is vacuous if m n.) 

• If m = n = 2, let consist of all strategies for player 
i such that [...] i sends its share to the other player. 

If m = n = 3, let >li consist of all strategies for player 
i such that [. . . ] i has all three shares, i considers 
it possible that some other player j has only its own 
share, i knows that the third player k has all three 
shares, and, with positive probability, either 

(a) i sends j either i's share or fe's share, or 

(b) i does not know that fc knows that i has all three 
shares and does not tell fe that it has all three 

shares. 

(Intuitively, if i knows that the only player missing 
the secret is j, then it should try to do what it can 
to stop j from getting the secret. This includes not 
sending j information and making sure that that the 
third player fe knows the situation, so that k will not 
send j information.) 

If in = 3 and n = 4, let consist of all strategies 
for player i such that [. . . ] there exist players j, k, I 
such that the utility to i if i, j, and fe learn the secret 



is no higher than the utility to i if i, j, and I learn 
the secret, i knows that everyone knows that everyone 
has fe's share and I's share, i considers it possible that 
fe and I lack both i's share and j's share, and, with 
positive probability, i sends its share or j's share to 
player k. (Intuitively, if i has the secret and knows that 
j knows the secret, but considers it possible that both 
fc and / arc missing shares, it should not guarantee that 
fe learns the secret if fe learning the secret is at least 
as bad as / learning the secret. While this intuition 
seems very reasonable, note that it applies only if i 
knows that fe and I are missing at most one share.) 

If m = n = 4, let Ai consist of all strategies for player 
i such that [. . . ] there exist players j, fe, / such that the 
utility to i if i, j, and fe learn the secret is no higher 
than the utility to i if i, j, and I learn the secret, i has 
all four shares, i knows that j has all four shares, and 
that everyone knows that everyone has all the shares 
other than possibly i's, i considers it possible that fe 
and I both lack i's share, and, with positive probability, 
i sends its share to player fe. (The intuition here is the 
same as in the m = 3, n = 4 case, but again, note that 
it applies only in quite restricted circumstances.) 

Otherwise, = 0. 

• Let {AiY consist of all strategies for player i such that 
[. . . ] i has m shares, i considers it possible that j does 

not have all rn shares, i knows that j has m — 1 shares 
and i can prove this to all the other players, i knows 
that all players k ^ j have m shares and can prove 
this to each player fe' ^ {i,j, fe}, and, with positive 
probability, i does not prove to each player k ^ j that 
each player fe' ^ {j, fc} has m shares and that j has 
m — 1 shares. (The intuition here is much as that for 
A^ in the case m = ri = 3: if i knows that all but 
one player has the secret, it should do what it can 
to prevent that player from getting the secret, which 
includes making sure that the other players know the 
situation.) 

• If m = n = 3, let consist of all strategies for player 
i such that [. . . ] i has all three shares, i considers 
it possible that some player j does not have all three 
shares, and, with positive probability, reaches a node 
v' at the next step such that i knows at v' that the 
third player fe will eventually know all three shares, 
and either 

(a) in getting from « to «', i sends j a share that i 
does not know at v that j has; 

(b) i does not know at v' that fe has all three shares; 

or 

(c) i does not know at v' that fe knows that i has all 
three shares. 

(The situation here is similar to that in the m = n = 3 
case of A^, except that now, rather than i knowing at 
V that fe has all three shares, i knows only that, with 
positive probability, fe will have all three shares. If i 
knows that fe will eventually have all three shares, then 
i might as well tell fe all three shares right away, and 
also tell fe that i has all three shares. This will prevent 
fe from sending j information.) 



If m = 3 and n = 4, let consist of two sets of 
strategies: 

(1) All strategies for player i such that [. . . ] there exist 
players j, k, I such that i knows that j is indifferent as 
to whether i, j, and fc or i j, and / learn the secret, i 
knows that j has k's share and I's share, i knows that 
everyone (except possibly j) knows that everyone has 
k and I's shares and can prove this to j, i considers it 
possible that k and I lack both i's shaxe and j's share, 
and, with positive probability, i either 

(a) sends its share or ;;'s share to or /, or 

(b) does not prove to j that everyone knows that ev- 
eryone has k and Vs shares. 

(The situation here is the same as that in the m = 3, 
n = 4 case of Jcl, except that i does not necessarily 

know that j knows that everyone has k and Vs shares. 
By sending the messages, i can ensure that the an- 
tecedent of A?j holds, so that j will not send messages 
to k.) 

(2) All strategics for player i such that [. . . ] there 
exist players j, k, I such that i knows that the utility 
to j if i, j, and k learn the secret is no greater than 
the utility to j if i, j, and I learn the secret, i knows 
that j knows that everyone knows that everyone has 
k and Z's shares, i considers it possible that k and I 
lack both i's share and j's share, and, with positive 
probability, i sends its share or j's share to /. (Here, 
i knows that j will not send useful information to fc, 
because that would be in A]. Hence sending a third 
share to I produces the worst possible outcome for i.) 

If m = n — 4, let Ai consist of all strategies for player 
i such that [. . . ] there exist players j, k, I such that 
the utility to i if i, j, and k learn the secret is no 
higher than the utility to i if i, j, and I leam the 
secret, i has all four shares, i considers it possible that 
k and I both lack j's share, with positive probability, 
i reaches a node v' at the next step such that, at w', i 
knows that eventually j will both know all four shares 
and that everyone knows that everyone has all shares 
except possibly j's, but either 

(a) at v' , i does not ensure that j knows these facts, 

or 

(b) in getting from v to v' , i sends j's share to k. 

(The situation here is much like the antecedent of the 
m = n — A case of ylf, except that i does not know 
at V that j has all four shares or that j knows that 
everyone heis the two shares other than j's; however, 
i docs know that, with positive probability, this will 
eventually be the case. Intuitively, if it eventually is 
going to be the case, then i should make it happen as 
quickly as possible, since then the antecedent to A?j 
will hold, and j will not send messages to k.) 

If m = 2 or n > 4, then ^? = 0. 

• Let {A^y consist of all strategies for player i such 
that [. . . ] i has m shares, i considers it possible that 
some player j does not have all m shares, i knows that 
j has m — 1 shares and i can prove this to all the 
other players, i knows that all players k ^ j have m 



shares and there is a player k' ^ {i, j} such that for all 
k ^ {i,j,k'}, i can prove to each player k" ^ {i,j,k} 
that k has m shares, i considers it possible that there is 
at least one player who does not know that all players 
except j have m shares and that j has m — 1 shares, 
and, with positive probability, i does not provide k' 
with evidence that it can use to prove to everyone else 
that it (fc') knows that each player k ^ {j, k'} has m 
shares and that j has m — 1 shares or there exists a 
player /' ^ {i,j,k'} such that i can prove to I' that 
all players have m shares, except possibly j who has 
m — 1, i considers it possible that I' does not already 
know this fact, and i does not prove it to I'. (The 
situation here is that i knows that everyone has the 
secret but j, and j only needs one share to get the 
secret. In that case, i should make everyone else aware 
of the situation, as quickly as possible.) 

• If m = n = 3, let {Ai)'" consist of all strategies for 
player i such that [. . . ] i has j's share but not k's, 
j has i's share, i does not know both that k has all 
three shares and that k knows that j has i's share, 
and i sends messages to k that ensure that k has all 
three shares and that k knows that j has i's share. 
(Intuitively, i should not send information to k that 
might prevent k from later sending useful information 
to i.) 

If n > 3 or m / n, then (Ai)'" = 0. 

• Let Ci, consist of all strategies for i such that [...] (a) 
round(?;) = h, (b) i knows m shares, (c) if m = n, 
i has sent out its share earlier, and (d) with positive 
probability, i reaches a node v' at the next step such 
that there exists a player j such that i knows at v' that 
all the players but j know m shares, in going from v 
to v' , i sends j a share that i does not know at v that 
j has, and i sends no useful information at any node 
v" with rourid(u") > h. 

• Let consist of all strategies for i such that [...] (a) 

round(ti) — h, (b) i knows all the shares, (c) i has sent 
out its share earlier, (c) i reveals no useful information 
at a node v' with round(ti') > h + 1, and (d) there 
exist players j and k such that, at v, i knows that all 
the other players but j and k have m shares and can 
prove this to j but does not, i knows that at the step 
immediately after v, j will have all m shares, and i 
considers it possible that, after v, k will not have all 
m shares and that j will not know that everyone other 
than j and k has m shares. 

• If m = 3, let {'D'^Yi consist of all strategies for player 
i satisfying (a), (b) and (c) from the definition of Df, 
and also (d') there exist j and k such that, at v, all 
players know j and fe's shares, and i can prove to j 
that all players besides j and k know j and k's shares, 
and either i considers it possible that j docs not know 
that all players but j and k have m shares, and does 
not prove this to j, or i considers it possible that j has 
only two shares, and sends j a third share. 

li m — n — 4:, let (X>'')i, consist of all strategies for 
player i satisfying (a), (b) and (c) from the definition 
of Vf, and also (d") there exist players j, k, and I such 
that i can prove to j that i has all four shares, i knows 



that / has aU four shares and can prove to j that / 
has j and fc's shares, i knows that j and k have each 
other's shares and that k has Vs share, and either (i) 
i knows that j knows I's share or i sends I's share to 
j but does not prove to j that i knows all four shares 
and that / knows j and k's shares or (ii) i sends j i's 
share if it does not already know that j has i's share. 

Otherwise, (!>'')• = 0. 

Recall that Bi' consists of all strategies for player i that 
reveal useful information at a node 'v with round(t;) = h. Let 
A' = u?=iA'; {A'Y, A\ A', {A')', (A')", {A')'", 

B^, C*, V", and {V^)' , h = l,2,... arc defined similarly. Let 
£^ = A' U {A'YUB' UC^+' UV'+^ U for j = 1. 2: let 

£^ = A^u {A^Y u (A)" u {Ay uB^uc^uv^u [v^Y; let 

= yl^ U U U 2?« U (2?5)'; let £' = B' U C'+^ U V'+'^ 
for j > 5. 

Proposition 3.1. Let M be a mechanism for secret shar- 
ing. After k steps of iterated deletion, all the strategies in S'' 
have been deleted; moreover, no deterministic strategy not in 
5^ U U . . . U f has been deleted. 

Note that Proposition 3.1 provides a complete characteri- 
zation of when deterministic strategies are deleted, but does 
not do so for randomized strategies. Knowing when deter- 
ministic strategies are deleted turns out to suffice to prove 
the result by induction. It immediately follows from Propo- 
sition 3.1 that there is no practical mechanism for secret 
sharing with a finite game tree: no strategy whore any player 
sends her share survives more than N steps of iterated dele- 
tion, where is a bound on the depth of the game tree. 

If m = n = 2, all strategies where a player sends its share 
to another player must be in A^. Thus, the following is an 
immediate corollary to Proposition 3.1. 

Corollary 3.1. There is no practical mechanism for 2 
out of 2 secret sharing (even with an infinite game tree). 

3.2 A Randomized Practical Mechanism for 
Secret Sharing 

In light of Theorem 3.1, the only hope of getting a prac- 
tical mechanism for secret sharing lies in using uncertainty 
about when the game will end to induce cooperation. We 
now present a randomized protocol for 3 out of 3 secret shar- 
ing, and then show how to extend it to m out of n secret 
sharing. 

Suppose that players can toss coins in a way that every- 
one is forced to reveal their coin tosses after a round is over. 
Consider the mechanism whose suggested strategy is as fol- 
lows: everyone tosses their coin, and is supposed to send 
their secret if their coin lands heads. In the next stop, ev- 
eryone reveals their coin. If everyone learns the secret, or if 
someone cheats (fails to send their share even though their 
coin w£is heads), then the game ends. Otherwise the issuer 
issues new shares of the secret (that is, uses a completely 
different polynomial and sends shares of that polynomial) , 
and the process repeats. 

Consider the incentives of a player that has tossed heads 
and is supposed to send its share. If it withholds its share 
in the last step it might be lucky, because it might hap- 
pen that the other two players are also about to send their 
shares. Then it will learn the secret when the others do 



not, which it considers the best possible outcome. How- 
ever, if the others do not both send their shares but de- 
tect that the first player has cheated, they will stop the 
protocol and nobody will learn the secret. This is a worse 
outcome than the honest one for the cheater. This mech- 
anism ensures that when a player is considering withhold- 
ing its share when it ought to send it, the probability of 
getting caught but not learning the secret is high (3/4), 
while the probability of learning the secret when no one else 
does is only 1/4. As long as iui(onIy i learns the secret) -|- 
|Mi(no one learns the secret) < w, (everyone learns the secret), 
then player i will not be tempted to cheat. If player i's util- 
ities do not satisfy this inequality, the probability of heads 
can be modified appropriately. 

Unfortunately, this mechanism still has a problem: even if 
everyone is honest, there is a chance that one of the players 
might learn the secret when the others do not. If exactly 
two of the coins land heads, then the player who tossed tails 
will be able to reconstruct the secret, but the other two will 
not. The one who already knows the secret will certainly 
have no incentive to continue the game at that point! We 
solve this problem by tossing the coins in such a way that if 
exactly two players get heads, then no one learns the secret. 
We proceed as follows. 

Call the players 1, 2, and 3.^ For i e {1,2,3}, let i+ 
denote i -|- 1 except that 3"'" is 1; similarly i~ is i — 1 except 
that 1~ is 3. Consider the following protocol: 

0. The issuer sends each player a signed share of the se- 
cret, using 3 out of 3 secret sharing. 

1. Each player i chooses a bit c, such that Cj = 1 has 
probability a and d = has probability 1— a, and a bit 

C(i._(_) at random (so that and 1 both have probability 
1/2). Let C(i__) = Ci © C(i__|_). Player i sends C(j__|_) to 
i"*" and C(i^_) to i~ . Note that this means that i should 
receive C(j+ _) from i"*" and C(j-__|_) from i~ . 

2. Each player i sends C(i+ _) © d to i~ . Thus, i should 
receive C((i+) + __) © Cj+ — C(i- _) © c^+ from i+. 

3. Each player i computes p = C(i- ^^)©C(j- __)®Cj+®Ci = 
Ci- © Ci+ © Ci = ci ® C2 ® C3. If p = Ci = 1 then player 
i sends its signed share to the others. 

4. If p = and i received no secret shares, or if p = 1 
and i received exactly one share (possibly from itself; 

that is, we allow the case that i did not receive any 
shares from other players but sent its own), the issuer 
is asked to restart the protocol; otherwise, i stops the 
protocol (either because it has all three shares or be- 
cause someone must have been cheating). 

If, at any stage, player i does not receive a bit from a player 
from whom it is supposed to receive a bit, it also stops the 
protocol. 

Given a set of possible messages that each player can send 
at each point, this protocol determines a mechanism: there is 
an infinite game tree where, at each point, players send some 
messages that they are able to send; the recommended joint 
strategy is the protocol above. Call this mechanism M(a), 
where a is the probability of Ci = 1 at step 1 above. 

^Note that the secret issuer, player 0, is taken to be honest 
and is not part of the game. 



Theorem 3.2. For all utility functions satisfying U1-U3, 
if n > 3, there exists an a* such that M{a) is a practical 
mechanism for m out of n secret sharing for all a < a* . 
Moreover, the expected running time of the recommended 
strategy in M{a) is hjo? . 

Proof. (Sketch:) First consider the m = n = 3 case. 
Consider what happens if all the players follow the protocol. 
Player i sends its secret iff Ci ® c^- © Cj+ = 1 and a = \. 
This can happen only if ci = C2 = C3 = 1 or if = 1 and 
Cj- = Cj+ = 0. Thus, all the players send their shares (and 
learn the secret) iff ci = C2 = C3 = 1, which happens with 
probability q^. If Ci = 1 and c^- = Cj+ = (which happens 
with probability a(l — a)^), player i sends its share of the 
secret but the other two players do not, so no one learns the 
secret. If ci ® C2 ® C3 = 0, then no player sends its share. 
Thus, cither all players learn the secret, or no player docs. 
Moreover, the protocol clearly has an expected running time 
of rounds. 

Does player i have an incentive to cheat at step 3, given 
that all the other players follow the protocol? The most 
obvious way that player i can cheat is by not sending its 
share when it should, that is, if Ci — ci ffi C2 ffi C3 = 1. 
Player i gains in this case if Cj+ = c,- = 1, which happens 
with conditional probability /{a^ + (1 — a)^), and loses if 
Cj_ = Cj- = 0, which happens with conditional probability 
(1 — of' lip? + (1 — oif'). Note that nothing that player i 
can do can influence these probabilities, since each player j 
chooses its bit Cj independently. Thus, a rational player i 
will cheat only if 

a^+(i-ct)^ Mi (only i learns the secret) 

+ a^Xi^-a)'^ tti (no one learns the secret) (1) 
> Mi (everyone learns the secret). 

It follows from U1-U3 that 

Mi (only i learns the secret) 

> Mi (everyone learns the secret) (2) 

> Mi (no one learns the secret). 

It is immediate from (2) that there exists some a* such that, 
for all i and all a < a*, (1) does not hold. Thus, if a < a*, 
then no player has amy incentive to cheat at step 3. 

It is easy to check that each player has no incentive not 
to send bits as required in step 1 and 2, assuming that the 
other players arc following the recommended strategy: this 
will simply cause the other players to stop playing. Suppose 
that the bits C(i^+) and C(i__) that player i actually sends at 
step 1 are not the ones that it was supposed to send. This 
is easily seen to be equivalent to player i changing the dis- 
tribution with which Ci and C(i,+) arc chosen. Although this 
changes the probability that messages will be sent in step 
3, it is easy to show that it docs not affect the probabilities 
in (1). Thus, player i's expected utility does not change if 
player i changes the probabilities in step 1, so player i has 
no incentive to cheat at step 1 if all other players follow 
the recommended strategy. Finally, it is easy to show that 
player i will not cheat at step 2, since this just means that 
i^ may incorrectly compute ci ® C2 ffi C3, which may cause 
the protocol to terminate with no one learning the secret, 
and will certainly not cause i to learn the secret, since at 
most one of the others will send its share. This argument 



shows that the recommended protocol in M(a) is a Nash 
equilibrium for a < a*. 

To show that the recommended protocol survives iterated 
deletion of weakly-dominated strategies, consider strategies 
for player i that the following property: 

(*) if there is nontrivial randomization at node m, then 
player i docs not have all m shares and does not send 

out any shares. 

Note that the protocol above satisfies (*), so it suffices to 
show that strategies satisfying (*) are not deleted. This 
is relatively straightforward, using the observation that, by 
Proposition 3.1, all deterministic strategies not in f ^U. . .Uf * 
survive iterated deletion. (Note that, since the game here is 
infinite, C'\ V'^, and (!>'')' are aU empty in this case.) 
We leave details to the full paper. 

This completes the argument for 3 out of 3 secret sharing. 
To do m out of n secret sharing for m > 3, n > 3, we 
simply partition the players into three groups, and designate 
m players such that each group has at least one of the m 
designated players. One of the designated players in each 
group is taken to be the leader. Each of the rn designated 
players sends its share to its group leader. The three leaders 
then essentially use the mechanism sketched above, except 
that when they are supposed to send out their share, they 
send all the shares of their group to everyone. Finally, to 
do 2 out of n secret sharing for n > 3, the two players with 
shares partition their shares into n — 1 subsliarcs, and send 
the subshares to the other n — 1 players, along with a zero 
knowledge proof that they have constructed the subshares 
honestly. Thus, the two players with the original shares will 
each have one subshare, while the other players will have two 
subshares. The players then do n out of n secret sharing, 
with the subshares being the secrets. □ 

There is an important caveat to this result. The mech- 
anism requires that each player (or the system designer) 
knows the other players' utility functions. This is neces- 
sary in order to choose the probability a appropriately. It 
actually is not critical that the players know the other play- 
ers' utility function exactly. They just need to know enough 
about the utility function so as to choose an a sufficiently 
small so as to guarantee that (1) does not hold. In practice, 
this does not seem unreasonable. 

4. MULTIPARTY FUNCTION COMPUTA- 
TION 

As suggested in the introduction, the results for multi- 
party computation are similar in spirit to those for secret 
sharing. However, some new subtleties arise both in the 
impossibility result and the possibility result. 

4.1 The Impossibility Result 

The impossibility result for multiparty function computa- 
tion is essentially a generalization of Theorem 3.1. However, 
we now no longer want to assume that there is an atomic 
secret such that a player's utility depends only on who gets 
the secret. Rather, we consider a class of problems where 
the players have some initial pieces of "information" and 
the mechanism itself defines a number of other pieces of in- 
formation of interest. A player's utility again depends on 
which pieces of information it and all the other players have 



at the end of the execution. Our impossibiUty result appUes 
in particular to the special case of multiparty computation 
where the functionality required is the fair exchange of se- 
crets; as far as we are aware, all available protocols for this 
problem have an upper bound on their running time, and 
therefore are not appropriate for selfish parties [2, 3, 7, 8, 9, 
14]. 

More formally, assume that there arc some pieces of infor- 
mation of interest, say /i, . . . , 7m- In the case of secret shar- 
ing, there is only one piece of information of interest, namely, 
the secret. In the case of multiparty function computation, 
the pieces of information of interest are each player's pri- 
vate information and the value of the function. A mecha- 
nism may define further pieces of information Jm+i, ■ . . ,In 
of interest. For example, if the secret has 6 bits, one piece 
of information may be the first 6/2 bits of the secret. 

Given a path r in the game tree, we generalize the notation 
of Section 3.1 by letting info{r) be the tuple (Xi,...,Tn), 
where Ti is the set of pieces of information that player i 
obtains in run r. Let info^{r) = Tj; thus, ^nfo^{r) is the 
information that i gets in r. 

We assume that a player's utility function satisfies the 
following analogues of U1-U3: 

VI. Ui{r) = Ui{r') if info{r) — info(r'). 

V2. If info^{r) D tnfo^{r'), and infOj{r) C infOj{r') for j ^ 
i, then Ui(r) > Ui{r'). 

V3. If i / j, info^ir) C infoj{r'), infOj,{r) = infOj,{r') for 
j' / j, and Uj(r) < Uj(r'), then Ui{r) > Ui{r'). 

V4. If m/Oi(ri) = infOi{r'i), infOi{r2) = infOi{r'2), info^iri) = 
infOj{r2) for j =^ i, infOj{r[) = infOj{r'2) for j ^ i, and 

Mi(ri) < iti(r2), then Ui(r'i) < Ui{r2). 

VI is the obvious generalization of Ul; it says that a player's 
utility depends only on the information that each of the 
players get. V2 says that player i is no worse off if he gets 
more information and the other players get less. V3 says 
that if getting more information makes j strictly better off, 
then j getting that information makes i worse off. Finally, 
V4 is an independence assumption. It says that whether or 
not i is better off with certain information is independent 
of what the other players have. In more detail, since all the 
players other than i have the same information in n and 
r2 and Mi(ri) < Ui(r2), then i must be better off with the 
information he has in r2 than the information he has in ri. 
Since i has the same information in r'2 as in r2, and the same 
information in r'l as in r\ , and all other players have the same 
information in r'l and r'2 (although that information may be 
different from what they had in n and r2), V4 says that i 
should also be better off in r2 than in r'l . It is easy to check 
that if U1-U3 are satisfied for secret sharing (where the only 
piece of information of interest is the secret), then V1-V4 are 
too. We remark that when a player "has" a certain piece of 
information, there may actually be a small probability that 
this information is incorrect. Nevertheless, as long as the 
probability is low enough, V1-V4 seem reasonable. 

With these assumptions, we can prove an analogue to The- 
orem 3.1 for secret sharing. 

Theorem 4.1. If players' utilities satisfy V1-V4, then 
there is no practical mechanism (r,a*) for multiparty func- 
tion computation such that T is finite, and using a* , some 
player learns the function value. 



4.2 A Randomized Practical Mechanism for 
Multiparty Computation 

In this section we focus on the special case of the frame- 
work in the previous section where the only pieces of infor- 
mation are Iq, ■ ■ ■ ,In, where Jo is the value of the function 
and li is player i's private value, for i = 1, . . . ,n. For sim- 
plicity, we restrict attention to multiparty computation of 
Boolean functions.^ We say that a run r is admissible if no 
player learns any other player's private information in r, and 
let «ra/Oj,) (r) be or 1 depending on whether or not i learns 
the value of the function in r. We assume that the players' 
utility functions satisfy the following analogue of U2: 

V5. If r and r' are admissible, infOfQ{r) = 1 and infOj^Q{r') = 
0, then Ui{r) > Ui{r'). 

As we said in the introduction, it follows from Shoham and 
Tennenholtz's results [19] that only certain functions, which 
they call non- cooperatively computable (NCC), can be com- 
puted, even with a trusted party, because only for NCC 
functions do the players have an incentive to reveal their 
private inputs truthfully, if players' preferences satisfy VI- 
V5. Clearly if a function / is not NCC, then we cannot hope 
to compute its value with revealing private information in 
the absence of a trusted party. We now show that if it is in 
NCC, then we can compute its value. 

Theorem 4.2. Assuming the existence of one-way 1-1 func- 
tions, if f is non-cooperatively computable, n >3, and play- 
ers' utilities satisfy V1-V5, then there is a (randomized) 
practical mechanism for computing f that runs in constant 
expected time. 

Proof. The mechanism for multiparty computation com- 
bines ideas of the secret sharing mechanism in Section 3.2 
and the multiparty function protocol of Goldreich, Micali, 
and Wigderson [13]. Goldreich [12, Section 7.3] provides a 
careful proof of the correctness of the protocol, against what 
he calls semi-honest or passive adversaries. In our context, 
this means that players are allowed to lie about their initial 
values, and are allowed to abort the protocol for any reason 
(including getting the value of the function, in the hopes 
that other players have not gotten the value), but all mes- 
sages they send must be the ones that the protocol says they 
should send, given their claimed initial values. The key idea 
is to simulate the computation of a circuit for computing /, 
such that, at each stage of the protocol, the value of a node 
in the circuit is viewed as a secret, and all players have a 
share of that secret. Our protocol also uses this circuit sim- 
ulation, but replaces the last step of secret sharing (where 
the players actually learn the value of the function) by the 
secret-sharing protocol from the practical mechanism given 
in Section 3.2. Goldreich then shows how to force semi- 
honest behavior, using zero-knowledge and bit-commitment 
protocols. We can employ the same techniques in our proto- 
col to force semi-honest behavior; this is where we need the 
assumption that one-way 1-1 functions exist, just as Goldre- 
ich does.* While, as Goldreich points out, in his setting, we 

^We do this because the results we refer to, in particular [12, 
19], consider only Boolean functions. We believe that we can 
extend to arbitrary functions with no difficulty, although we 
have not worked out the details. 

*As we show in the full paper, we can actually simplify Gol- 
dreich's arguments given our assumption of rationality. 



cannot force players to reveal their true input values, if / is 
NCC, then, by V5, it is to a player's benefit to reveal the 
true input value. Similarly, it is to the player's benefit not 
to abort the protocol. 

The proof that this strategy is a Nash equilibrium and 
survives iterated deletion is similar to the argument given 
in the proof of Theorem 3.2, with the share issuer imple- 
mented by the multiparty computation protocol, and the 
zero-knowledge proofs acting in the same way as the signa- 
tures on shares. We omit details here. □ 

5. CONCLUSIONS 

We have shown how to apply ideas of rationality to secret 
sharing and multiparty computation. This allows us to think 
of players as being rational, rather than "good" or "bad". 
For many applications of multiparty function computation, 
this seems like a far more reasonable approach. Many open 
problems remain, including the following: 

• We have assumed that we arc working in synchronous 
systems. We conjecture that in asynchronous systems 
there are no practical mechanisms for secret sharing 
or multiparty computation satisfying (some variant of) 
U1-U3, but have not yet proved this. 

• We have focused on preferences that satisfy U1-U3. 
McGrew, Porter, and Shoham [16] characterize when 
multiparty computation is achievable with a trusted 
party under various other assumptions about players' 
preferences. We conjecture that it will continue to 
be the case that wc can do multiparty computation 
without a trusted party whenever we can do it with a 
trusted party. 

• We have concentrated on strategies that are Nash equi- 
libria and survive iterated deletion of weakly-dominated 
strategies. What about other solution concepts? We 

note that our impossibility result (Theorem 3.1) does 
not hold for trembling hand equilibria, and therefore 
not for sequential or subgame perfect equilibria either. 

• Our mechanism requires, not just knowing that the 
utilities satisfy U1-U3, but exactly what the utilities 
are. Is there a single mechanism (without a parameter 
a) that works for any utilities that satisfy U1-U3? 
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